|
Domain Admin functionality on Samba 3.0.2a with TDBSAM
Firstly I apologise for the length of this question; I am hoping that if I
document everything I did someone might respond / be able to help.
My Configuration is Samba 3.0.2a as a PDC on Redhat 8. I cannot for the
life of me get the "Domain Admins" functionality to work
I am hoping that another set of eyes can shed some light on this problem
as I have now spent 41 hrs googling / reading samba docs / configuring
samba and linux.
I am using the tdbsam backend
[global]
---snip----
domain master = yes
local master = yes
preferred master = yes
domain logons = yes
passdb backend = tdbsam
---snip----
I have the following unix groups:
GrpName GID
======== ====
ntadmins 702
users 100
mikey 700
administrator 703
I have the following users:
UsrName GID Primary Group Groups
======== ==== ============ =======================
mikey 600 ntadmins users,root,mikey
administrator 603 ntadmins users,root,admnistrator
I have used Pdbedit to add user 'mike' and 'administrator' to the trivial
database
[root@juan root]# pdbedit -L -v -u mikey Unix username: mikey
NT username:
Account Flags: [U ]
User SID: S-1-5-21-4105664934-1074514724-3375437219-2200
Primary Group SID: S-1-5-21-4105664934-1074514724-3375437219-1201
Full Name: Mike Young
Home Directory: \\juan\mikey
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\juan\profiles\mikey\0.0.0.0
Domain: E-MAGE
---snip----
[root@juan root]# pdbedit -L -v -u administrator Unix username:
administrator
NT username:
Account Flags: [U ]
User SID: S-1-5-21-4105664934-1074514724-3375437219-2206
Primary Group SID: S-1-5-21-4105664934-1074514724-3375437219-702
Full Name: wrkgrp domain administrator
Home Directory: \\juan\administrator
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\juan\profiles\administrator\0.0.0.0
Domain: E-MAGE
---snip----
I have used net groupmap to add the unix groups
'USERS','NOBODY','NTADMINS'
net groupmap add unixgroup=nobody ntgroup="Domain Guests" net groupmap add
unixgroup=ntadmins ntgroup="Domain Admins" net groupmap add
unixgroup=users ntgroup="Domain Users"
I have used net groupmap to MAP the unix groups
'USERS','NOBODY','NTADMINS' to the NT groups
net groupmap modify ntgroup="Domain Guests" UNIXgroup=nobody net groupmap
modify ntgroup="Domain Admins" UNIXgroup=nobody net groupmap modify
ntgroup="Domain Users" UNIXgroup=nobody
When I do a net groupmap list I get:- [root@juan root]# net groupmap list
System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-2405) -> ntadmins
Domain Users (S-1-5-21-4105664934-1074514724-3375437219-1201) -> users
Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-1199) -> nobody
Domain Admins (S-1-5-21-4105664934-1074514724-3375437219-512) -> ntadmins
Domain Guests (S-1-5-21-4105664934-1074514724-3375437219-514) -> nobody
Domain Users (S-1-5-21-1097365102-1206842487-1930028900-513) -> users
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Domain Admins (S-1-5-21-50666885-4256340010-4152097897-702) -> ntadmins
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1 Domain Admins
(S-1-5-21-50666885-4256340010-4152097897-512) -> -1 Domain Admins
(S-1-5-21-1097365102-1206842487-1930028900-512) -> -1 Backup Operators
(S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Domain Guests (S-1-5-21-1097365102-1206842487-1930028900-514) -> -1 Domain
Users (S-1-5-21-4105664934-1074514724-3375437219-513) -> -1
I then created the appropriate machine accounts through unix
I then log on to a win2k or XP workstation as a local administrator and
join the domain as user 'ROOT' and using the user management tool I add my
DomainName\Domain Admins group to the local administrators group.
I then re-logon to the win2k or XP workstation as the domain user either
(mike or administrator. These both logon successfuly but are NOT Domain
Admins or Administrators of the workstation -Why?
|
